Many computer networks include firewalls as standalone devices or as a module of a traffic management or other network device capable of providing additional services. Traffic management computing devices including firewall functionality can be configured to provide services, such as accelerating, optimizing, and/or load balancing network traffic exchanged between client computing devices and the server computing devices, for example. Traffic management computing devices can implement firewalls in order to restrict unauthorized and/or malicious network traffic from accessing network resources.
Accordingly, firewall administrators deploy firewall policies on the traffic management computing devices, which are often very complicated and include a significant number of rules for analyzing network traffic. Based on the analysis, an action corresponding to a matching one of the rules is taken for a packet. The actions generally include allowing the packet to proceed to the destination, allowing the packet to be analyzed by a next firewall policy in a different context, or denying the packet. Over time, there is generally a need to update or modify a deployed firewall policy.
However, currently there is no efficient way for a firewall administrator to determine the effect of a policy change prior to deploying a new or modified policy. Due to the complexity of the policies, one change may have unintended consequences on other policies or the network traffic. Accordingly, firewall administrators often deploy a new or modified policy and then roll it back and replace it with a prior policy when an issue arises in a live environment. This type of validation process is often disruptive for users and is inefficient for firewall administrators. Additionally, currently there is no effective way for a firewall administrator to test or visualize the operation of a firewall having many firewall policies in various contexts.